Data of patients at Ohio hospital may be at risk

Employee improperly accessed nearly 600 patient records over the course of a year


May 29-- ProMedica officials are not disclosing the motive behind a security breach at its Bay Park Hospital that may have compromised the personal information of nearly 600 patients.

The hospital system said it discovered last month that an employee had accessed 594 patient records between April 1, 2013, and April 1, 2014, but officials refused to disclose why the employee violated the privacy of patients by looking at their personal information. They said the person responsible was not directly treating the patients.

Hospital officials also refused to disclose any information about the person involved in the incident, citing employee confidentiality concerns. When asked if this employee had committed a criminal offense, ProMedica officials said the incident was reported to the U.S. Department of Health and Human Services, but that no law enforcement agencies were contacted.

"ProMedica Bay Park Hospital values patient privacy and deeply regrets that this incident occurred. The hospital is taking this matter very seriously. ProMedica immediately deactivated the employee's access to patient information and the individual is no longer employed by ProMedica," the hospital said in a statement released to the news media on Wednesday.

The hospital completed its investigation of the incident and discovered the security breach on April 2 but did not notify the public until Wednesday, nearly two months later.

Hospital spokesman Serena Smith said ProMedica is complying with rules established by the U.S. Department of Health and Human Services concerning public notification of health-record violations.

Bay Park officials are sending letters to patients whose personal information was compromised.

The investigation found the information that the employee accessed may have included full name, date of birth, diagnosis, hospital visit number, medical record number, attending physician, medications, and other clinical information, Ms. Smith said.

"Based on our records, we don't believe the information accessed by the employee contained any financial information, including Social Security numbers, or that the employee intended to retain any viewed information," hospital officials said in a news release.

Despite the assertion that the former employee did not access financial information of patients, the hospital is offering to pay for identity-theft protection services for those affected for up to a year.

Officials also are advising those affected to consider placing a 90-day fraud alert on their credit files.

The hospital also plans to provide training for current employees on federal Health Insurance Portability and Accountability Act rules, which govern the privacy of health information, Ms. Smith said.

Those who do not receive letters and believe their records may have been compromised can send inquiries to promedicaprivacy@-promedica.org.

Contact Marlene Harris-Taylor at mtaylor@theblade.com or 419-724-6091.

Copyright 2014 - The Blade, Toledo, Ohio